Summary

Several vulnerabilities were discovered in all Emacs versions up to 20.6, namely:

Under certain circumstances, unprivileged local users can eavesdrop the communication between Emacs and its subprocesses.

It is impossible to safely create temporary files in a public directory from Emacs Lisp.

The history of recently typed keys may expose passwords.

Especially the first two vulnerabilities seriously impact the use of tools like mailcrypt in a multi-user environment.

1. Improper permissions on slave PTYs

Scope

Affected systems:

GNU/Linux (both GNU libc 2.x and libc5)

FreeBSD (and probably other *BSD variants)

HP-UX 10.x, 11.00

AIX 4

Unaffected systems:

Solaris (The Solaris runtime system automatically adjusts the PTY permissions.)

Data General’s DG/UX seems to be unaffected, according to the source code. Other systems have not been examined.

Severity

High in multi-user environments, low otherwise.

Problem

On the systems listed above, when a new subprocess is created using the builtin Lisp function start-process, Emacs doesn’t set proper permissions for the slave PTY device.

Impact

Unprivileged local users can eavesdrop the data which Emacs sends to its subprocess and fake responses from the subprocess. This impacts Emacs packages such as Mailcrypt, which transmit (among other things) PGP passphrases over this data channel.

Solution

At Emacs Lisp level, the only workaround is to use call-process instead of start-process. Of course, this is not always an option because the functionality provided by these functions is not the same (synchronous vs. asynchronous subprocesses).

The real solution requires modification of the Emacs C source code. A patch for Emacs 20.6 is included below which enables Emacs to Unix98 PTYs. The patch is known to work on the following systems:

GNU/Linux with GNU libc 2.1

AIX 4.2

HP-UX 11.00

It is expected to work on HP-UX 10.x as well. (Under some versions of HP-UX, grantpt() does not behave as specified. The patch contains a suitable workaround.)

Unfortunately, systems lacking Unix98 support (such as Linux with libc5 and GNU libc 2.0, FreeBSD and AIX 3) require a completely different fix and a setuid root binary to change the PTY permissions (in other words: some kind of userspace Unix 98 PTY emulation). There are no plans to provide this emulation; Unix 98 PTYs are already widely adopted and most Unix derivatives provide them (with the notable exception of several *BSD variants). For FreeBSD, an enhancement to openpty() has been proposed which sets proper permissions on the slave TTY device (see problem report bin/9770). The proposal has yet to be adopted, though.

Future Emacs releases will contain a similar fix.

2. Unsafe creation of temporary files

Scope

All Unix-like Emacs platforms on which public directories are used to store temporary files.

Severity

High in multi-user environments, low otherwise.

Problem

Emacs Lisp does not provide any functionality to create a file in a publicly writable directory in a safe way.

Impact

Many Emacs packages use the make-temp-name Lisp function to create names for temporary files. These names are not very hard to guess. Because it is impossible to create the actual temporary file in a safe manner, the usual symlink attacks are likely successful.

Solution

Emacs 21 will provide a new make-temp-file function (which creates the file in question in safe way) and the functionality to safely create temporary files. In the meantime, until Emacs 21 is released and package maintainers adopt the new function, private directories for temporary files should be used. Most packages provide variables for that. For example, for Mailcrypt, the variable mc-temp-directory has to be set, and for Python Mode, it’s py-temp-directory.

3. Passwords are stored in the key history

Scope

All platforms.

Severity

Low.

Problem

Functions like read-passwd do not clear the the history of recently typed keys. In fact, there is no way to do that from Emacs Lisp.

Impact

Passwords might be recovered by someone who has got access to the console on which Emacs is running, subverting password expiring as, for example, provided by Mailcrypt. (Usually, there are many other ways to obtain passwords if you can type C-h l inside a foreign Emacs, though.)

Solution

The patch below adds code to clear-this-command-keys which will erase the vector containing the last 100 events. In the past, this function was already used as if it behaved that way.

Acknowledgements

Helmut Waitzmann for rediscovering the PTY permissions problem and testing the HP-UX patch. Gerd Moellmann of the Emacs development team for the patch to clear-this-command-keys and helpful comments.

Patch against Emacs 20.6

The patch below is against GNU Emacs 20.6, as available at GNUFTP mirrors. Note that you have to run autoconf to recreate the configure script (including it would have enormously increased the size of the patch).

Download the patch. (not available anymore)

About RUS-CERT

RUS-CERT is the Computer Emergency Response Team located at the Computing Center (RUS) of the University of Stuttgart, Germany.